git.samba.org / obnox / samba-ctdb.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix bug #7669.
[obnox/samba-ctdb.git] / source3 / lib / util_sid.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Samba utility functions
4    Copyright (C) Andrew Tridgell                1992-1998
5    Copyright (C) Luke Kenneth Caseson Leighton  1998-1999
6    Copyright (C) Jeremy Allison                 1999
7    Copyright (C) Stefan (metze) Metzmacher      2002
8    Copyright (C) Simo Sorce                     2002
9    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
10       
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26
27 /*
28  * Some useful sids, more well known sids can be found at
29  * http://support.microsoft.com/kb/243330/EN-US/
30  */
31
32
33 const DOM_SID global_sid_World_Domain =               /* Everyone domain */
34 { 1, 0, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
35 const DOM_SID global_sid_World =                      /* Everyone */
36 { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
37 const DOM_SID global_sid_Creator_Owner_Domain =       /* Creator Owner domain */
38 { 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
39 const DOM_SID global_sid_NT_Authority =                 /* NT Authority */
40 { 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
41 const DOM_SID global_sid_System =                       /* System */
42 { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
43 const DOM_SID global_sid_NULL =                         /* NULL sid */
44 { 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
45 const DOM_SID global_sid_Authenticated_Users =  /* All authenticated rids */
46 { 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
47 #if 0
48 /* for documentation */
49 const DOM_SID global_sid_Restriced =                    /* Restriced Code */
50 { 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
51 #endif
52 const DOM_SID global_sid_Network =                      /* Network rids */
53 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
54
55 const DOM_SID global_sid_Creator_Owner =                /* Creator Owner */
56 { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
57 const DOM_SID global_sid_Creator_Group =                /* Creator Group */
58 { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
59 const DOM_SID global_sid_Anonymous =                    /* Anonymous login */
60 { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
61
62 const DOM_SID global_sid_Builtin =                      /* Local well-known domain */
63 { 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
64 const DOM_SID global_sid_Builtin_Administrators =       /* Builtin administrators */
65 { 1, 2, {0,0,0,0,0,5}, {32,544,0,0,0,0,0,0,0,0,0,0,0,0,0}};
66 const DOM_SID global_sid_Builtin_Users =                /* Builtin users */
67 { 1, 2, {0,0,0,0,0,5}, {32,545,0,0,0,0,0,0,0,0,0,0,0,0,0}};
68 const DOM_SID global_sid_Builtin_Guests =               /* Builtin guest users */
69 { 1, 2, {0,0,0,0,0,5}, {32,546,0,0,0,0,0,0,0,0,0,0,0,0,0}};
70 const DOM_SID global_sid_Builtin_Power_Users =  /* Builtin power users */
71 { 1, 2, {0,0,0,0,0,5}, {32,547,0,0,0,0,0,0,0,0,0,0,0,0,0}};
72 const DOM_SID global_sid_Builtin_Account_Operators =    /* Builtin account operators */
73 { 1, 2, {0,0,0,0,0,5}, {32,548,0,0,0,0,0,0,0,0,0,0,0,0,0}};
74 const DOM_SID global_sid_Builtin_Server_Operators =     /* Builtin server operators */
75 { 1, 2, {0,0,0,0,0,5}, {32,549,0,0,0,0,0,0,0,0,0,0,0,0,0}};
76 const DOM_SID global_sid_Builtin_Print_Operators =      /* Builtin print operators */
77 { 1, 2, {0,0,0,0,0,5}, {32,550,0,0,0,0,0,0,0,0,0,0,0,0,0}};
78 const DOM_SID global_sid_Builtin_Backup_Operators =     /* Builtin backup operators */
79 { 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}};
80 const DOM_SID global_sid_Builtin_Replicator =           /* Builtin replicator */
81 { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}};
82 const DOM_SID global_sid_Builtin_PreWin2kAccess =       /* Builtin pre win2k access */
83 { 1, 2, {0,0,0,0,0,5}, {32,554,0,0,0,0,0,0,0,0,0,0,0,0,0}};
84
85 const DOM_SID global_sid_Unix_Users =                   /* Unmapped Unix users */
86 { 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
87 const DOM_SID global_sid_Unix_Groups =                  /* Unmapped Unix groups */
88 { 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
89
90 /* Unused, left here for documentary purposes */
91 #if 0
92 #define SECURITY_NULL_SID_AUTHORITY    0
93 #define SECURITY_WORLD_SID_AUTHORITY   1
94 #define SECURITY_LOCAL_SID_AUTHORITY   2
95 #define SECURITY_CREATOR_SID_AUTHORITY 3
96 #define SECURITY_NT_AUTHORITY          5
97 #endif
98
99 /*
100  * An NT compatible anonymous token.
101  */
102
103 static DOM_SID anon_sid_array[3] =
104 { { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
105   { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
106   { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
107 NT_USER_TOKEN anonymous_token = { 3, anon_sid_array, SE_NONE };
108
109 static DOM_SID system_sid_array[1] =
110 { { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
111 NT_USER_TOKEN system_token = { 1, system_sid_array, SE_ALL_PRIVS };
112
113 /****************************************************************************
114  Lookup string names for SID types.
115 ****************************************************************************/
116
117 static const struct {
118         enum lsa_SidType sid_type;
119         const char *string;
120 } sid_name_type[] = {
121         {SID_NAME_USER, "User"},
122         {SID_NAME_DOM_GRP, "Domain Group"},
123         {SID_NAME_DOMAIN, "Domain"},
124         {SID_NAME_ALIAS, "Local Group"},
125         {SID_NAME_WKN_GRP, "Well-known Group"},
126         {SID_NAME_DELETED, "Deleted Account"},
127         {SID_NAME_INVALID, "Invalid Account"},
128         {SID_NAME_UNKNOWN, "UNKNOWN"},
129         {SID_NAME_COMPUTER, "Computer"},
130
131         {(enum lsa_SidType)0, NULL}
132 };
133
134 const char *sid_type_lookup(uint32 sid_type) 
135 {
136         int i = 0;
137
138         /* Look through list */
139         while(sid_name_type[i].sid_type != 0) {
140                 if (sid_name_type[i].sid_type == sid_type)
141                         return sid_name_type[i].string;
142                 i++;
143         }
144
145         /* Default return */
146         return "SID *TYPE* is INVALID";
147 }
148
149 /**************************************************************************
150  Create the SYSTEM token.
151 ***************************************************************************/
152
153 NT_USER_TOKEN *get_system_token(void) 
154 {
155         return &system_token;
156 }
157
158 /******************************************************************
159  get the default domain/netbios name to be used when dealing 
160  with our passdb list of accounts
161 ******************************************************************/
162
163 const char *get_global_sam_name(void) 
164 {
165         if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
166                 return lp_workgroup();
167         }
168         return global_myname();
169 }
170
171 /*****************************************************************
172  Convert a SID to an ascii string.
173 *****************************************************************/
174
175 char *sid_to_fstring(fstring sidstr_out, const DOM_SID *sid)
176 {
177         char *str = sid_string_talloc(talloc_tos(), sid);
178         fstrcpy(sidstr_out, str);
179         TALLOC_FREE(str);
180         return sidstr_out;
181 }
182
183 /*****************************************************************
184  Essentially a renamed dom_sid_string from librpc/ndr with a
185  panic if it didn't work
186
187  This introduces a dependency on librpc/ndr/sid.o which can easily
188  be turned around if necessary
189 *****************************************************************/
190
191 char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid)
192 {
193         char *result = dom_sid_string(mem_ctx, sid);
194         SMB_ASSERT(result != NULL);
195         return result;
196 }
197
198 /*****************************************************************
199  Useful function for debug lines.
200 *****************************************************************/
201
202 char *sid_string_dbg(const DOM_SID *sid)
203 {
204         return sid_string_talloc(debug_ctx(), sid);
205 }
206
207 /*****************************************************************
208  Use with care!
209 *****************************************************************/
210
211 char *sid_string_tos(const DOM_SID *sid)
212 {
213         return sid_string_talloc(talloc_tos(), sid);
214 }
215
216 /*****************************************************************
217  Convert a string to a SID. Returns True on success, False on fail.
218 *****************************************************************/  
219    
220 bool string_to_sid(DOM_SID *sidout, const char *sidstr)
221 {
222         const char *p;
223         char *q;
224         /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
225         uint32 conv;
226   
227         if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') {
228                 DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
229                 return False;
230         }
231
232         ZERO_STRUCTP(sidout);
233
234         /* Get the revision number. */
235         p = sidstr + 2;
236         conv = (uint32) strtoul(p, &q, 10);
237         if (!q || (*q != '-')) {
238                 DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
239                 return False;
240         }
241         sidout->sid_rev_num = (uint8) conv;
242         q++;
243
244         /* get identauth */
245         conv = (uint32) strtoul(q, &q, 10);
246         if (!q || (*q != '-')) {
247                 DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
248                 return False;
249         }
250         /* identauth in decimal should be <  2^32 */
251         /* NOTE - the conv value is in big-endian format. */
252         sidout->id_auth[0] = 0;
253         sidout->id_auth[1] = 0;
254         sidout->id_auth[2] = (conv & 0xff000000) >> 24;
255         sidout->id_auth[3] = (conv & 0x00ff0000) >> 16;
256         sidout->id_auth[4] = (conv & 0x0000ff00) >> 8;
257         sidout->id_auth[5] = (conv & 0x000000ff);
258
259         q++;
260         sidout->num_auths = 0;
261
262         for(conv = (uint32) strtoul(q, &q, 10);
263             q && (*q =='-' || *q =='\0') && (sidout->num_auths < MAXSUBAUTHS);
264             conv = (uint32) strtoul(q, &q, 10)) {
265                 sid_append_rid(sidout, conv);
266                 if (*q == '\0')
267                         break;
268                 q++;
269         }
270                 
271         return True;
272 }
273
274 DOM_SID *string_sid_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
275 {
276         DOM_SID *result = TALLOC_P(mem_ctx, DOM_SID);
277
278         if (result == NULL)
279                 return NULL;
280
281         if (!string_to_sid(result, sidstr))
282                 return NULL;
283
284         return result;
285 }
286
287 /*****************************************************************
288  Add a rid to the end of a sid
289 *****************************************************************/  
290
291 bool sid_append_rid(DOM_SID *sid, uint32 rid)
292 {
293         if (sid->num_auths < MAXSUBAUTHS) {
294                 sid->sub_auths[sid->num_auths++] = rid;
295                 return True;
296         }
297         return False;
298 }
299
300 bool sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid)
301 {
302         sid_copy(dst, domain_sid);
303         return sid_append_rid(dst, rid);
304 }
305
306 /*****************************************************************
307  Removes the last rid from the end of a sid
308 *****************************************************************/  
309
310 bool sid_split_rid(DOM_SID *sid, uint32 *rid)
311 {
312         if (sid->num_auths > 0) {
313                 sid->num_auths--;
314                 *rid = sid->sub_auths[sid->num_auths];
315                 return True;
316         }
317         return False;
318 }
319
320 /*****************************************************************
321  Return the last rid from the end of a sid
322 *****************************************************************/  
323
324 bool sid_peek_rid(const DOM_SID *sid, uint32 *rid)
325 {
326         if (!sid || !rid)
327                 return False;           
328         
329         if (sid->num_auths > 0) {
330                 *rid = sid->sub_auths[sid->num_auths - 1];
331                 return True;
332         }
333         return False;
334 }
335
336 /*****************************************************************
337  Return the last rid from the end of a sid
338  and check the sid against the exp_dom_sid  
339 *****************************************************************/  
340
341 bool sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
342 {
343         if (!exp_dom_sid || !sid || !rid)
344                 return False;
345                         
346         if (sid->num_auths != (exp_dom_sid->num_auths+1)) {
347                 return False;
348         }
349
350         if (sid_compare_domain(exp_dom_sid, sid)!=0){
351                 *rid=(-1);
352                 return False;
353         }
354         
355         return sid_peek_rid(sid, rid);
356 }
357
358 /*****************************************************************
359  Copies a sid
360 *****************************************************************/  
361
362 void sid_copy(DOM_SID *dst, const DOM_SID *src)
363 {
364         int i;
365
366         ZERO_STRUCTP(dst);
367
368         dst->sid_rev_num = src->sid_rev_num;
369         dst->num_auths = src->num_auths;
370
371         memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
372
373         for (i = 0; i < src->num_auths; i++)
374                 dst->sub_auths[i] = src->sub_auths[i];
375 }
376
377 /*****************************************************************
378  Write a sid out into on-the-wire format.
379 *****************************************************************/  
380
381 bool sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
382 {
383         size_t i;
384
385         if (len < ndr_size_dom_sid(sid, NULL, 0))
386                 return False;
387
388         SCVAL(outbuf,0,sid->sid_rev_num);
389         SCVAL(outbuf,1,sid->num_auths);
390         memcpy(&outbuf[2], sid->id_auth, 6);
391         for(i = 0; i < sid->num_auths; i++)
392                 SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]);
393
394         return True;
395 }
396
397 /*****************************************************************
398  Parse a on-the-wire SID to a DOM_SID.
399 *****************************************************************/  
400
401 bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
402 {
403         int i;
404         if (len < 8)
405                 return False;
406
407         ZERO_STRUCTP(sid);
408
409         sid->sid_rev_num = CVAL(inbuf, 0);
410         sid->num_auths = CVAL(inbuf, 1);
411         if (sid->num_auths > MAXSUBAUTHS) {
412                 return false;
413         }
414         memcpy(sid->id_auth, inbuf+2, 6);
415         if (len < 8 + sid->num_auths*4)
416                 return False;
417         for (i=0;i<sid->num_auths;i++)
418                 sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
419         return True;
420 }
421
422 /*****************************************************************
423  Compare the auth portion of two sids.
424 *****************************************************************/  
425
426 static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
427 {
428         int i;
429
430         if (sid1 == sid2)
431                 return 0;
432         if (!sid1)
433                 return -1;
434         if (!sid2)
435                 return 1;
436
437         if (sid1->sid_rev_num != sid2->sid_rev_num)
438                 return sid1->sid_rev_num - sid2->sid_rev_num;
439
440         for (i = 0; i < 6; i++)
441                 if (sid1->id_auth[i] != sid2->id_auth[i])
442                         return sid1->id_auth[i] - sid2->id_auth[i];
443
444         return 0;
445 }
446
447 /*****************************************************************
448  Compare two sids.
449 *****************************************************************/  
450
451 int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
452 {
453         int i;
454
455         if (sid1 == sid2)
456                 return 0;
457         if (!sid1)
458                 return -1;
459         if (!sid2)
460                 return 1;
461
462         /* Compare most likely different rids, first: i.e start at end */
463         if (sid1->num_auths != sid2->num_auths)
464                 return sid1->num_auths - sid2->num_auths;
465
466         for (i = sid1->num_auths-1; i >= 0; --i)
467                 if (sid1->sub_auths[i] != sid2->sub_auths[i])
468                         return sid1->sub_auths[i] - sid2->sub_auths[i];
469
470         return sid_compare_auth(sid1, sid2);
471 }
472
473 int sid_compare_sort(const void *p1, const void *p2)
474 {
475         const struct dom_sid *sid1 = (const struct dom_sid *)p1;
476         const struct dom_sid *sid2 = (const struct dom_sid *)p2;
477         int i, res;
478
479         if (sid1->sid_rev_num != sid2->sid_rev_num) {
480                 return sid1->sid_rev_num - sid2->sid_rev_num;
481         }
482
483         for (i = 0; i < 6; i++) {
484                 if (sid1->id_auth[i] != sid2->id_auth[i]) {
485                         return sid1->id_auth[i] - sid2->id_auth[i];
486                 }
487         }
488
489         if (sid1->num_auths != sid2->num_auths) {
490                 return sid1->num_auths - sid2->num_auths;
491         }
492
493         for (i = 0; i<sid1->num_auths; i++) {
494                 if (sid1->sub_auths[i] != sid2->sub_auths[i]) {
495                         return sid1->sub_auths[i] - sid2->sub_auths[i];
496                 }
497         }
498
499         return 0;
500 }
501
502 /*****************************************************************
503  See if 2 SIDs are in the same domain
504  this just compares the leading sub-auths
505 *****************************************************************/  
506
507 int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
508 {
509         int n, i;
510
511         n = MIN(sid1->num_auths, sid2->num_auths);
512
513         for (i = n-1; i >= 0; --i)
514                 if (sid1->sub_auths[i] != sid2->sub_auths[i])
515                         return sid1->sub_auths[i] - sid2->sub_auths[i];
516
517         return sid_compare_auth(sid1, sid2);
518 }
519
520 /*****************************************************************
521  Compare two sids.
522 *****************************************************************/  
523
524 bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
525 {
526         return sid_compare(sid1, sid2) == 0;
527 }
528
529 /*****************************************************************
530  Returns true if SID is internal (and non-mappable).
531 *****************************************************************/
532
533 bool non_mappable_sid(DOM_SID *sid)
534 {
535         DOM_SID dom;
536         uint32 rid;
537
538         sid_copy(&dom, sid);
539         sid_split_rid(&dom, &rid);
540
541         if (sid_equal(&dom, &global_sid_Builtin))
542                 return True;
543
544         if (sid_equal(&dom, &global_sid_NT_Authority))
545                 return True;
546
547         return False;
548 }
549
550 /*****************************************************************
551  Return the binary string representation of a DOM_SID.
552  Caller must free.
553 *****************************************************************/
554
555 char *sid_binstring(const DOM_SID *sid)
556 {
557         char *buf, *s;
558         int len = ndr_size_dom_sid(sid, NULL, 0);
559         buf = (char *)SMB_MALLOC(len);
560         if (!buf)
561                 return NULL;
562         sid_linearize(buf, len, sid);
563         s = binary_string_rfc2254(buf, len);
564         free(buf);
565         return s;
566 }
567
568 /*****************************************************************
569  Return the binary string representation of a DOM_SID.
570  Caller must free.
571 *****************************************************************/
572
573 char *sid_binstring_hex(const DOM_SID *sid)
574 {
575         char *buf, *s;
576         int len = ndr_size_dom_sid(sid, NULL, 0);
577         buf = (char *)SMB_MALLOC(len);
578         if (!buf)
579                 return NULL;
580         sid_linearize(buf, len, sid);
581         s = binary_string(buf, len);
582         free(buf);
583         return s;
584 }
585
586 /*******************************************************************
587  Tallocs a duplicate SID. 
588 ********************************************************************/ 
589
590 DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src)
591 {
592         DOM_SID *dst;
593         
594         if(!src)
595                 return NULL;
596         
597         if((dst = TALLOC_ZERO_P(ctx, DOM_SID)) != NULL) {
598                 sid_copy( dst, src);
599         }
600         
601         return dst;
602 }
603
604 /********************************************************************
605  Add SID to an array SIDs
606 ********************************************************************/
607
608 NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
609                           DOM_SID **sids, size_t *num)
610 {
611         *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID,
612                                              (*num)+1);
613         if (*sids == NULL) {
614                 *num = 0;
615                 return NT_STATUS_NO_MEMORY;
616         }
617
618         sid_copy(&((*sids)[*num]), sid);
619         *num += 1;
620
621         return NT_STATUS_OK;
622 }
623
624
625 /********************************************************************
626  Add SID to an array SIDs ensuring that it is not already there
627 ********************************************************************/
628
629 NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
630                                  DOM_SID **sids, size_t *num_sids)
631 {
632         size_t i;
633
634         for (i=0; i<(*num_sids); i++) {
635                 if (sid_compare(sid, &(*sids)[i]) == 0)
636                         return NT_STATUS_OK;
637         }
638
639         return add_sid_to_array(mem_ctx, sid, sids, num_sids);
640 }
641
642 /********************************************************************
643  Remove SID from an array
644 ********************************************************************/
645
646 void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num)
647 {
648         DOM_SID *sid_list = *sids;
649         size_t i;
650
651         for ( i=0; i<*num; i++ ) {
652
653                 /* if we find the SID, then decrement the count
654                    and break out of the loop */
655
656                 if ( sid_equal(sid, &sid_list[i]) ) {
657                         *num -= 1;
658                         break;
659                 }
660         }
661
662         /* This loop will copy the remainder of the array 
663            if i < num of sids ni the array */
664
665         for ( ; i<*num; i++ ) 
666                 sid_copy( &sid_list[i], &sid_list[i+1] );
667         
668         return;
669 }
670
671 bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
672                                     uint32 rid, uint32 **pp_rids, size_t *p_num)
673 {
674         size_t i;
675
676         for (i=0; i<*p_num; i++) {
677                 if ((*pp_rids)[i] == rid)
678                         return True;
679         }
680         
681         *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1);
682
683         if (*pp_rids == NULL) {
684                 *p_num = 0;
685                 return False;
686         }
687
688         (*pp_rids)[*p_num] = rid;
689         *p_num += 1;
690         return True;
691 }
692
693 bool is_null_sid(const DOM_SID *sid)
694 {
695         static const DOM_SID null_sid = {0};
696         return sid_equal(sid, &null_sid);
697 }
698
699 bool is_sid_in_token(const NT_USER_TOKEN *token, const DOM_SID *sid)
700 {
701         int i;
702
703         for (i=0; i<token->num_sids; i++) {
704                 if (sid_compare(sid, &token->user_sids[i]) == 0)
705                         return true;
706         }
707         return false;
708 }
709
710 NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
711                               const struct netr_SamInfo3 *info3,
712                               DOM_SID **user_sids,
713                               size_t *num_user_sids,
714                               bool include_user_group_rid,
715                               bool skip_ressource_groups)
716 {
717         NTSTATUS status;
718         DOM_SID sid;
719         DOM_SID *sid_array = NULL;
720         size_t num_sids = 0;
721         int i;
722
723         if (include_user_group_rid) {
724                 if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) {
725                         DEBUG(3, ("could not compose user SID from rid 0x%x\n",
726                                   info3->base.rid));
727                         return NT_STATUS_INVALID_PARAMETER;
728                 }
729                 status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
730                 if (!NT_STATUS_IS_OK(status)) {
731                         DEBUG(3, ("could not append user SID from rid 0x%x\n",
732                                   info3->base.rid));
733                         return status;
734                 }
735         }
736
737         if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) {
738                 DEBUG(3, ("could not compose group SID from rid 0x%x\n",
739                           info3->base.primary_gid));
740                 return NT_STATUS_INVALID_PARAMETER;
741         }
742         status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
743         if (!NT_STATUS_IS_OK(status)) {
744                 DEBUG(3, ("could not append group SID from rid 0x%x\n",
745                           info3->base.rid));
746                 return status;
747         }
748
749         for (i = 0; i < info3->base.groups.count; i++) {
750                 /* Don't add the primary group sid twice. */
751                 if (info3->base.primary_gid == info3->base.groups.rids[i].rid) {
752                         continue;
753                 }
754                 if (!sid_compose(&sid, info3->base.domain_sid,
755                                  info3->base.groups.rids[i].rid)) {
756                         DEBUG(3, ("could not compose SID from additional group "
757                                   "rid 0x%x\n", info3->base.groups.rids[i].rid));
758                         return NT_STATUS_INVALID_PARAMETER;
759                 }
760                 status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
761                 if (!NT_STATUS_IS_OK(status)) {
762                         DEBUG(3, ("could not append SID from additional group "
763                                   "rid 0x%x\n", info3->base.groups.rids[i].rid));
764                         return status;
765                 }
766         }
767
768         /* Copy 'other' sids.  We need to do sid filtering here to
769            prevent possible elevation of privileges.  See:
770
771            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
772          */
773
774         for (i = 0; i < info3->sidcount; i++) {
775
776                 if (skip_ressource_groups &&
777                     (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
778                         continue;
779                 }
780
781                 status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
782                                       &sid_array, &num_sids);
783                 if (!NT_STATUS_IS_OK(status)) {
784                         DEBUG(3, ("could not add SID to array: %s\n",
785                                   sid_string_dbg(info3->sids[i].sid)));
786                         return status;
787                 }
788         }
789
790         *user_sids = sid_array;
791         *num_user_sids = num_sids;
792
793         return NT_STATUS_OK;
794 }
SAMBA-CTDB repository